[Openstack-security] [Bug 1664723] Re: replication_slave user and passwords exposed in logging

OpenStack Infra 1664723 at bugs.launchpad.net
Thu Apr 6 14:09:05 UTC 2017


Fix proposed to branch: master
Review: https://review.openstack.org/454204

** Changed in: trove
       Status: New => In Progress

-- 
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1664723

Title:
  replication_slave user and passwords exposed in logging

Status in OpenStack Security Advisory:
  Won't Fix
Status in OpenStack DBaaS (Trove):
  In Progress

Bug description:
  Currently the passwords and usernames for trove's replciation_user in
  pxc and percona configuration options are exposed in the logger.

  Mysql already has secret=True for their configuration options.

  This patch extends that to all of the other database configuration
  options using oslo.config.cfg.Opt option secret [1].

  See output below for exact logs:

  tr-api.log.2017-02-14-095217:2017-02-14 10:21:58.628 DEBUG
  oslo_service.service [-] percona.replication_password   =
  NETOU7897NNLOU from (pid=684) log_opt_values /usr/local/lib/python2.7
  /dist-packages/oslo_config/cfg.py:2744

  tr-api.log.2017-02-14-095217:2017-02-14 10:21:58.628 DEBUG oslo_service.service [-] percona.replication_user       = slave_user from (pid=684) log_opt_values /usr/local/lib/python2.7/dist-packages/oslo_config/cfg.py:2744
  tr-api.log.2017-02-14-095217:2017-02-14 10:21:58.636 DEBUG oslo_service.service [-] pxc.replication_user           = slave_user from (pid=684) log_opt_values /usr/local/lib/python2.7/dist-packages/oslo_config/cfg.py:2744

  References 
  [1] http://docs.openstack.org/developer/oslo.config/cfg.html

To manage notifications about this bug go to:
https://bugs.launchpad.net/ossa/+bug/1664723/+subscriptions




More information about the Openstack-security mailing list